Join the Insurance Post editorial team as we scrutinize and dissect how things have been done in the past; and discuss how to improve them in the future, and tackle subjects like dual pricing and divâ¦

Navigating the risks, and capitalising on the opportunities, of the approaching motor insurance revolution. The 'one stop shop' event for all delegates working under the umbrella of motor insurance wâ¦

This exclusive two day retreat will bring together 60 C-Suite technology decision makers from the UKâs top insurers and brokers, alongside leaders from world-leading technology providers. The summit â¦

The winners of The Claims Awards 2019 will be announced at the lavish prize-giving ceremony taking place on Wednesday, 19 June at the Brewery, London. Attended by over 400 industry professionals, theâ¦

Attracting 2,000 guests from all over the country, the BIAs are truly a night for the whole insurance community. 27 categories cover general insurance, SMEs, claims specialists, brokers, underwritersâ¦

Championing the industry's fraud fighters! Attracting around 450 guests from over 45 different companies from across the country, the Insurance Fraud Awards are truly a fantastic night for the insuraâ¦

Our Client, a very successful Broker, is looking to recruit an experienced Commercial Account Manager to deal with its larger Corporate Clients. You will have an enthusiastic client focused approach â¦

Opinion: SMEs: Emerging risks - Cybersecurity for smaller businesses

In 2018, household names such as British Airways, Marriott Hotels and Facebook faced the potentially devastating consequences of large-scale data breaches. However, the threat may be bigger for SME’s, as smaller businesses lack the same resources to protect themselves against a cybersecurity attack

If a company has a limited resource pool to draw from, it can be tempting to solely concentrate on protecting against the more traditional and visible risks to the business. It is often only when a cyber incident occurs that a business realises its insurance cover, if any, is inadequate. It is worth highlighting that the General Data Protection Regulationimposes the same responsibility on all businesses that handle personal data, irrespective of size. Because of this, cyber insurance is expected to become a standard part of all business expense in the next five years.

Being a small business does not automatically mean handling small amounts of personal data, therefore an SMEmay find itself dealing with a data breach with huge financial consequences. The UK’s data protection regulator, the Information Commissioner’s Office will not look favourably on any company that has failed to implement adequate security measures and being an SME is no excuse.

Cyber attacks do not have to be sophisticated to be effective. The most prevalent type of attack in 2018 was by way of business email compromise, often conducted by a phishing attack. Criminals tend to target the mailboxes of senior members of a company, which often contain sensitive information. Many businesses are unaware of a breach until a financial fraud occurs, although the criminals may have had access to the mailbox, and the data held within it, for a significant amount of time.

There remains a widely held misconception that only exfiltration – the unauthorised copying, transferring or retrieval of data – constitutes a breach. However, if the integrity of an IT system has been compromised, resulting in criminals having access to the personal data, this may still constitute a data breach and require notification to the ICO and potentially the affected data subjects.

Any notification to the ICO carries the risk of significant regulatory penalties. The French regulator recently fined Google €50m (£43.4m) and while the ICO is yet to issue a significant post-GDPR fine, some high profile decisions are expected in 2019, the rationale behind which will undoubtedly influence the SME sector.

Hidden costs

Regulatory fines grab headlines, but the hidden costs of dealing with a cyber incident may be the most onerous for SMEs. It is not just the immediate consequences of financial fraud and business interruption costs that should be considered, but also the fees for third-party advisors, such as lawyers, IT forensics and press officers. Insurers often have special arrangements with these providers, which means policyholders can access a ‘toolbox’ in the midst of a crisis.

Also of concern are longer term financial and reputational costs, such as the loss of customers or contracts, or the impact of third-party claims made by affected customers.

While a larger business may be able to absorb these additional costs, they could easily overwhelm a smaller company.

A hairdressing salon recently felt the unexpected impact of data breach resulting from a ransomware attack. As a small business with only 15 employees, it did not consider itself at risk of a cyber attack. However, and even though it paid the ransom demand, it did not get its data back and was not able to trade or contact its clients and had no contingency plan in place.

SMEs should, therefore, urgently consider whether their current cybersecurity arrangements are sufficient and formulate a breach response plan for when the inevitable occurs.

Sponsored

Tweet

Facebook

LinkedIn

Save this article

Send to

Print this page

More from sponsor

A changing risk landscape is creating new challenges for SMEs and those tasked with providing the sector with insurance. But SMEs need to evolve as newer risks such as cyber attacks and data protection – along with the raft of uncertainties around Brexit – create demand for additional cover